The Biden Administration’s Recent Cybersecurity Executive Orders and What they Could Mean for Federal Contractors and Other IT and Software Providers
President Biden has made protecting America’s critical infrastructure and Americans’ sensitive information from cybersecurity threats and attack an important administrative initiative. In the midst of his first major overseas trip, he issued Executive Order 14034, titled “Protecting Americans’ Sensitive Data from Foreign Adversaries” (“EO 14034”). This EO comes less than a month after Executive Order 14028, titled “Improving the Nation’s Cybersecurity” (“EO 14028”).
These two EOs reflect a plan by the Biden Administration to leverage the power of the Federal Government to address national security threats posed by cyber-attacks. Those threats are evident in a series of recent and high-profile ransomware attacks, including last year’s Solar Winds attack and the more recent attacks on Colonial Pipeline and JBS Meats. According to the Biden Administration, these EOs are meant to address the “persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, private sector, and ultimately the American people’s security and privacy.”
This post summarizes the EOs and the implications they could have for federal contractors and other service providers.
EO 14034 focuses on connected software applications designed, developed, manufactured, or supplied by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary, including and especially China. The EO defines connected software applications as “software . . . designed to be used on an end-point computing device” and includes the “functionality” to “transmit data via the Internet.” That definition is sweeping and broad and could include any Wi-Fi enabled or internet-connected device made in China.
The EO flags use of certain connected software applications as a threat to Americans’ personal information and proprietary business information. Among other things, the EO 14034 requires the Secretary of Commerce, with assistance from other agencies, to evaluate transactions involving these applications to assess if they pose (i) an undue risk of “sabotage or subversion” in their “design, integrity, manufacturing, production, distribution, installation, operation, or maintenance,” (ii) an undue risk of causing “catastrophic effects on the security or resiliency of the critical infrastructure or digital economy of the United States,” or (iii) an otherwise unacceptable risk to the national security of the United States or the safety and security of United States persons.
After undertaking that evaluation, the Secretary must provide a report, within the next six months, recommending additional executive and legislative actions to address the risk associated with the use of connected software applications by U.S. persons. Those actions could lead to additional regulatory guidance and greater scrutiny of federal contractors.
EO 14028 is the denser of the two executive orders and seeks to strengthen America’s cybersecurity infrastructure. At eighteen pages long and saturated with cybersecurity jargon, abbreviations, acronyms, and aggressive timelines, this EO tome is a challenging read even for those that specialize in the area. Fortunately, the White House also issued an accompanying Fact Sheet that sets out the seven primary goals that the Biden Administration intends to pursue. They are:
- Teach adults (in governmental agencies and the private sector) something that we teach preschoolers—sharing is caring.
The EO calls for the removal of barriers to threat information sharing between government and the private sector, including in federal IT service provider contracts. To that end, federal contracts will likely need to include provisions that mandate the sharing of cybersecurity event information with a laundry list of U.S. federal agencies.
Specifically, Section 2 of EO 14028 mandates a review and update of the Federal Acquisition Regulations (FAR) and Defense Federal Acquisitions Regulation Supplement (DFARS) to ensure government service providers (1) collect and preserve relevant information to prevent, detect, respond to, and investigate such events, (2) share this information with appropriate federal agencies, (3) share this information using industry-recognized formats (i.e., APIs or other approved mechanisms), and (4) provide support and collaborate with the appropriate federal cybersecurity agencies.
- Bring the federal cybersecurity infrastructure into the present day (or at least the 21st century) by modernizing federal cybersecurity standards.
Section 3 of the EO mandates that the Federal Government modernize its approach to cybersecurity, including by adopting security best practices (including multi-factor authentication and encryption), advancing towards zero trust architecture, and accelerate the move from legacy systems to more secure cloud services. The EO requires certain federal agencies, within 60 days of the order (i.e., July 11, 2021), to develop a plan to achieve these goals and report such plan to the Office of Management and Budget.
- Address the weakest (cybersecurity) links in the federal software supply chain by calling for the establishment of baseline security standards for any software sold to the government.
To incentivize software providers to build more secure software, EO 14028 proposes the creation of a pilot program to develop a labeling program, similar to the Environmental Protection Agency’s “Energy Star Program,” for software that meets baseline security standards to reduce the number of vulnerabilities in software shipped to the Federal Government.
We eagerly await the name and logo for this pilot program. (“Certified Yes Best Encryption Requirements (C.Y.B.E.R)” with three red stars inside a blue padlock as the logo?).
- Create a “Cybersecurity Safety Review Board,” modelled on the National Safety and Transportation Board.
According to the EO, the Board will be co-chaired by government and private sector leads that “may” convene following a significant cyber incident to analyze what happened and make concrete recommendations. The Board’s purpose will be to “ask the hard questions and make necessary improvements.” It’s not clear from the EO whether the board will have any power or just be advisory; but its creation also hints at the Biden Administration’s desire for a fundamental shift in the government’s approach to cybersecurity threats.
- Implement a standard response playbook for responding to cybersecurity incidents.
According to the EO, the plan is to create a universal set of definitions for cyber incident response by federal departments and agencies, to ensure that all federal agencies meet a “certain threshold and are prepared to take uniform steps to identify and mitigate a threat.”
- Improve the Federal Government’s ability to detect cybersecurity incidents on its networks.
The EO proposes to enable a government-wide endpoint detection and response system and improved information sharing within the Federal Government. This particular aspect of the EO emphasizes the Biden Administration’s view that intra-government information sharing is essential to securing government’s infrastructure.
- Improve the Federal Government’s ability to investigate and remediate cybersecurity incidents.
The EO requires federal departments and agencies to create a cybersecurity event log. That requirement reflects the Biden Administration’s view that poor logging hampers an organization’s ability to detect intrusions, mitigate those in progress, and determine the extent of an incident after the fact.
In the upcoming weeks and months there will likely be a wave of agency reports relating to these seven goals that should provide more substantive guidance on what EO 14028 will require of federal contractors.
The Executive Orders’ Impact on Federal Contractors and Other Service Providers
What we do know now is that companies that supply “critical software,” a category that is to be defined by July 26 by the Director of the Cybersecurity and Infrastructure Security Agency, should plan on having to take some specific measures within the next year, including, among others, being prepared to share what Companies have previously viewed as proprietary information with the government as a matter of standard course. Thus, these companies should consider what incremental steps they can take now, such as identifying essential personnel and key types of information likely to be sought to ease the compliance ramp-up.
Even for service providers that are not currently government contractors, these EOs could have a significant impact on business. The Federal Government is the largest single purchaser of goods and services in the world. Every year, it awards more than $500 billion in contracts. President Biden’s stated goal is to “use the power of the Federal Government to incentivize the market.” And although EO 14028 primarily seeks to heighten the cybersecurity standards for federal contractors, those standards will have ripple effects in the private sector and for service providers not directly engaged in federal contracts.
For example, even if Company X does not sell directly to the Federal Government, one of its primary customers may be a government contractor, and Company X’s products or offerings could be incorporated into their customer’s products or service offerings to the Federal Government. In these instances, the federal contractors will most likely seek to push down the terms they’ve agreed to with the Federal Government to their subcontractors or suppliers.
Another likely ripple effect is that together, these two EOs allow for the Biden Administration to orchestrate the raising of cybersecurity standards for federal IT and software contracts, which will eventually raise the standard for private sector contracts as companies become more accustomed to dealing with the federal requirements. And one more likely effect of the EOs relates to companies that compete with companies that have federal contracts in the private sector. A software provider that obtains the coveted security label contemplated by EO 14028 (whether “C.Y.B.E.R star” or otherwise) for purposes of its federal contracting will have a competitive advantage against those companies that don’t have this label when bidding for private sector contracts.
By leveraging the enormous spending power and clout of the Federal Government, the Biden Administration is seeking to bring to bear the full power of the Federal Government to push American businesses toward stronger cybersecurity protections and protocols. At minimum, these EOs will have a lasting impact on information sharing and on contracts for federal government software purchases. But those impacts can and will inevitably filter down to the private sector.
Please contact our team if you want to know more about what you and your business can do to prepare for the additional requirements that will flow from these Executive Orders.